Executive Summary
Summary | |
---|---|
Title | GNU Automake: Multiple vulnerabilities |
Informations | |||
---|---|---|---|
Name | GLSA-201310-15 | First vendor Publication | 2013-10-25 |
Vendor | Gentoo | Last vendor Modification | 2013-10-25 |
Severity (Vendor) | Normal | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 4.4 | Attack Range | Local |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 3.4 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Synopsis Multiple vulnerabilities have been found in GNU Automake, allowing local arbitrary command execution with the privileges of the user running an Automake-based build. Background Description Impact Workaround Resolution References Availability http://security.gentoo.org/glsa/glsa-201310-15.xml |
Original Source
Url : http://security.gentoo.org/glsa/glsa-201310-15.xml |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-362 | Race Condition |
33 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:11717 | |||
Oval ID: | oval:org.mitre.oval:def:11717 | ||
Title: | The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete. | ||
Description: | The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-4029 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21044 | |||
Oval ID: | oval:org.mitre.oval:def:21044 | ||
Title: | RHSA-2013:0526: automake security update (Low) | ||
Description: | The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:0526-02 CESA-2013:0526 CVE-2012-3386 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | automake |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22010 | |||
Oval ID: | oval:org.mitre.oval:def:22010 | ||
Title: | RHSA-2010:0321: automake security update (Low) | ||
Description: | The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0321-04 CVE-2009-4029 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 | Product(s): | automake automake14 automake15 automake16 automake17 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22739 | |||
Oval ID: | oval:org.mitre.oval:def:22739 | ||
Title: | ELSA-2010:0321: automake security update (Low) | ||
Description: | The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0321-04 CVE-2009-4029 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | automake automake14 automake15 automake16 automake17 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:24025 | |||
Oval ID: | oval:org.mitre.oval:def:24025 | ||
Title: | ELSA-2013:0526: automake security update (Low) | ||
Description: | The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:0526-02 CVE-2012-3386 | Version: | 6 |
Platform(s): | Oracle Linux 6 | Product(s): | automake |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:25255 | |||
Oval ID: | oval:org.mitre.oval:def:25255 | ||
Title: | SUSE-SU-2013:1329-1 -- Security update for automake | ||
Description: | This update of automake fixes a race condition in "distcheck". (CVE-2012-3386) Also a bug where world writeable tarballs were generated during "make dist" has been fixed (CVE-2009-4029). | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:1329-1 CVE-2012-3386 CVE-2009-4029 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 | Product(s): | automake |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26641 | |||
Oval ID: | oval:org.mitre.oval:def:26641 | ||
Title: | RHSA-2014:1243: automake security update (Low) | ||
Description: | Automake is a tool for automatically generating Makefile.in files compliant with the GNU Coding Standards. It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck". (CVE-2012-3386) Red Hat would like to thank Jim Meyering for reporting this issue. Upstream acknowledges Stefano Lattarini as the original reporter. All automake users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:1243-00 CVE-2012-3386 CESA-2014:1243 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | automake |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26750 | |||
Oval ID: | oval:org.mitre.oval:def:26750 | ||
Title: | ELSA-2014-1243 -- automake security update (Low) | ||
Description: | Automake is a tool for automatically generating Makefile.in files compliant with the GNU Coding Standards. It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck". (CVE-2012-3386) Red Hat would like to thank Jim Meyering for reporting this issue. Upstream acknowledges Stefano Lattarini as the original reporter. All automake users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-1243 CVE-2012-3386 | Version: | 3 |
Platform(s): | Oracle Linux 5 | Product(s): | automake |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27575 | |||
Oval ID: | oval:org.mitre.oval:def:27575 | ||
Title: | DEPRECATED: ELSA-2013-0526 -- automake security update (low) | ||
Description: | [1.11.1-4] - remove BR dependency on java-devel-openjdk [1.11.1-3] - fix for CVE-2012-3386 -- 'make distcheck' was making the directory distdir world-readable (#848469) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-0526 CVE-2012-3386 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | automake |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27954 | |||
Oval ID: | oval:org.mitre.oval:def:27954 | ||
Title: | DEPRECATED: ELSA-2010-0321 -- automake security update (low) | ||
Description: | [1.9.6-2.3] - increase delay in self checks - add delays in aclocal7 self check http://osdir.com/ml/sysutils.automake.bugs/2006-09/msg00012.html - preserve timestamps of configure files [1.9.6-2.2] - add fix for CVE-2009-4029 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010-0321 CVE-2009-4029 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | automake automake14 automake15 automake16 automake17 |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-10-05 | Name : Fedora Update for automake17 FEDORA-2012-14779 File : nvt/gb_fedora_2012_14779_automake17_fc16.nasl |
2012-10-05 | Name : Fedora Update for automake17 FEDORA-2012-14770 File : nvt/gb_fedora_2012_14770_automake17_fc17.nasl |
2012-09-22 | Name : Fedora Update for automake FEDORA-2012-14349 File : nvt/gb_fedora_2012_14349_automake_fc17.nasl |
2012-09-22 | Name : Fedora Update for automake FEDORA-2012-14297 File : nvt/gb_fedora_2012_14297_automake_fc16.nasl |
2012-09-10 | Name : Slackware Advisory SSA:2012-206-01 libpng File : nvt/esoft_slk_ssa_2012_206_01.nasl |
2012-08-10 | Name : FreeBSD Ports: automake File : nvt/freebsd_automake.nasl |
2012-07-16 | Name : Mandriva Update for automake MDVSA-2012:103 (automake) File : nvt/gb_mandriva_MDVSA_2012_103.nasl |
2010-10-19 | Name : Mandriva Update for automake MDVSA-2010:203 (automake) File : nvt/gb_mandriva_MDVSA_2010_203.nasl |
2010-04-06 | Name : RedHat Update for automake RHSA-2010:0321-04 File : nvt/gb_RHSA-2010_0321-04_automake.nasl |
2010-03-05 | Name : Fedora Update for automake14 FEDORA-2010-1718 File : nvt/gb_fedora_2010_1718_automake14_fc12.nasl |
2010-03-05 | Name : Fedora Update for automake16 FEDORA-2010-3520 File : nvt/gb_fedora_2010_3520_automake16_fc12.nasl |
2010-03-05 | Name : Fedora Update for automake15 FEDORA-2010-3563 File : nvt/gb_fedora_2010_3563_automake15_fc12.nasl |
2010-03-05 | Name : Fedora Update for automake17 FEDORA-2010-3569 File : nvt/gb_fedora_2010_3569_automake17_fc11.nasl |
2010-03-05 | Name : Fedora Update for automake17 FEDORA-2010-3573 File : nvt/gb_fedora_2010_3573_automake17_fc12.nasl |
2010-03-05 | Name : Fedora Update for automake14 FEDORA-2010-3591 File : nvt/gb_fedora_2010_3591_automake14_fc11.nasl |
2010-03-05 | Name : Fedora Update for automake15 FEDORA-2010-1174 File : nvt/gb_fedora_2010_1174_automake15_fc11.nasl |
2010-03-05 | Name : Fedora Update for automake16 FEDORA-2010-1148 File : nvt/gb_fedora_2010_1148_automake16_fc11.nasl |
2010-03-02 | Name : Fedora Update for automake FEDORA-2010-1216 File : nvt/gb_fedora_2010_1216_automake_fc11.nasl |
2010-01-15 | Name : Fedora Update for automake FEDORA-2009-13157 File : nvt/gb_fedora_2009_13157_automake_fc12.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
61210 | GNU Automake make dist / distcheck distdir Target Permission Weakness Race Co... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-12-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201412-08.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-401.nasl - Type : ACT_GATHER_INFO |
2014-10-01 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2014-1243.nasl - Type : ACT_GATHER_INFO |
2014-09-29 | Name : The remote Scientific Linux host is missing a security update. File : sl_20140916_automake_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2014-09-18 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2014-1243.nasl - Type : ACT_GATHER_INFO |
2014-09-16 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2014-1243.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-795.nasl - Type : ACT_GATHER_INFO |
2013-10-27 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201310-15.nasl - Type : ACT_GATHER_INFO |
2013-08-14 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_automake-130812.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2013-0526.nasl - Type : ACT_GATHER_INFO |
2013-04-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-031.nasl - Type : ACT_GATHER_INFO |
2013-03-10 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2013-0526.nasl - Type : ACT_GATHER_INFO |
2013-03-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20130221_automake_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2013-02-21 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-0526.nasl - Type : ACT_GATHER_INFO |
2012-10-04 | Name : The remote Fedora host is missing a security update. File : fedora_2012-14762.nasl - Type : ACT_GATHER_INFO |
2012-10-04 | Name : The remote Fedora host is missing a security update. File : fedora_2012-14770.nasl - Type : ACT_GATHER_INFO |
2012-10-04 | Name : The remote Fedora host is missing a security update. File : fedora_2012-14779.nasl - Type : ACT_GATHER_INFO |
2012-09-24 | Name : The remote Fedora host is missing a security update. File : fedora_2012-14297.nasl - Type : ACT_GATHER_INFO |
2012-09-19 | Name : The remote Fedora host is missing a security update. File : fedora_2012-14349.nasl - Type : ACT_GATHER_INFO |
2012-09-06 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-103.nasl - Type : ACT_GATHER_INFO |
2012-08-08 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_36235c38e0a811e19f4d002354ed89bc.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100330_automake_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-07-25 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2012-206-01.nasl - Type : ACT_GATHER_INFO |
2010-10-14 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-203.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-3569.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-3573.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-3563.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-3520.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-1718.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-1216.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-1174.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-1148.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-3591.nasl - Type : ACT_GATHER_INFO |
2010-05-11 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0321.nasl - Type : ACT_GATHER_INFO |
2010-02-25 | Name : The remote Fedora host is missing a security update. File : fedora_2009-13157.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:37:50 |
|
2013-10-26 05:18:29 |
|